The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Identified as CVE-2021-1675, the security issue could grant remote attackers full control of vulnerable systems. Print Spooler manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing, among others.
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT address the public exploits that also identify as CVE-2021-1675.
Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available as PrintNightmare.
By sending an RpcAddPrinterDriverEx() RPC request, e.g. over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Microsoft has not issued a permanent fix to this vulnerability. Users and administrators are advised to apply the following workaround;
Stop and disable the Print Spooler service
Source: ThreatPost / Hacker news / Github